Do you know what ISO 27001 is talking about? It is the international norm for the information security management system.
Nowadays, it is very important for a firm to get an ISO certification. ISO 27001 is an ISO certification, which can be very important for a firm operating in the IT sector, for example a firm, which operates in the cloud sector.
The main point of this norm is the implementation of the information security management system (ISMS). So, the IT-firm wants to install the standards for the protection of the information in case of breach of the availability, integrity or confidentiality of the information. This implementation guarantees the protection of the information for the clients and the providers.
The structure of the implementation is very complex. One possibility for the implementation of the ISMS is to write a general security policy and afterwards policies, work instructions and record for each chapter.
These different types of documents are treating the security of information, access control, the information security management, communications and operations management and compliance…
In the Annex A, 136 controls are defined and all these controls have to be inherited in the ISMS. For each control, which is not inherited, there must be a good reason.
Every year, management reviews and internal audits have to be done as well as an external audit. The external audit guarantees that the firm is still conform to the ISO 27001.
To conclude, the implementation of this ISO norm has an advantage for the marketing of the products and the firm. The inconvenience of an implementation of an ISO norm is that such an implementation is costly in terms of time and money.